The Zeus banking Trojan may have had its heyday in the early 2010s. But like its namesake - the god of sky and thunder in ancient Greece and a mythological counterpart to Jupiter, Odin and Thor - the malware may well be immortal.

The longevity of Zeus malware is thanks, in part, to the sophisticated and highly effective Trojan having gone "open source" in 2011. That's when the source code for Zeus was leaked for unknown reasons, enabling anyone to "roll their own" banking Trojan, spawning numerous variants.

New variants continue to surface, including Terdot. The multipurpose malware, which has been around since at least mid-2016, is designed to steal online credentials for not only a number of banks, but also webmail providers as well as social networks, according to a report from Romanian anti-virus vendor Bitdefender.

"Terdot is sophisticated like a banker Trojan, but it behaves like an information stealer," Bogdan Botezatu, a senior e-threat analyst at Bitdefender, tells Information Security Media Group. He says the malware includes the ability to launch man-in-the-middle attacks against services used by infected endpoints, steal credentials as well as inject HTML into web pages, for example, to disguise behavior when users have logged into an online banking site. The Zeus variant also carries its own root certificate to bypass bank sites' use of HTTPS.

"Terdot is particularly interesting because it aims for more than wallets and is able to intercept all communications originating from the infected machine, decrypting them in real time and/or modifying data arbitrarily," he says. "It can be used as a cyber espionage tool that is extremely difficult to identify and stop."

Early this year, the independent information security researcher known as Hasherezade spotted Terdot acting as a dropper, referring to a piece of malware that's designed to install other pieces of malware. In this instance, Terdot was installing a version of Zeus, she said.

the payload.dll that I unpacked on the video is Terdot.A/Zloader and it downloads + injects the client32.dll (Zbot)

Highly Stealthy

At least so far, Terdot appears to be a relatively small-scale operation focused on Australian, British, Canadian and U.S. users, Botezatu says. "It is not the prevalence that inspired Bitdefender's team to look into the threat, but its capabilities to remain hidden once it infects a host," he explains

One recently obtained sample of the malware includes code designed to steal different types of credentials, including those of :

On Thursday, Zeus Tracker, which tracks Zeus servers and offers related block lists, reported that it was tracking 479 Zeus command-and-control servers, of which 131 were online. It says Zeus binaries get detected on average 43 percent of the time, according to the VirusTotal free malware-scanning service.

Zeus formerly sold for $2,000 to $10,000 on underground forums. When its source code was leaked, some security experts suggested that it was done to throw investigators off the trail of whomever created it or might be using it. The Zeus code was also absorbed into the SpyEye banking Trojan code.

But Zeus wasn't the only malware that's seen its source code get leaked, purposefully or otherwise.

Last year, meanwhile, Mirai botnet source code was released, enabling anyone to create their own malware for infecting dozens of different types of internet of things devices. The code may have also already spawned IoT-infecting offspring, such as Reaper malware.

Gameover Zeus Heydays

The most-used free source code for creating "DIY malware," however, continues to be Zeus. Besides Terdot, last year, the source code first appeared in Floki Bot - aka flokibot - malware, which is designed to exploit point-of-sale devices. The malware, which first appeared for sale on darknet forums in September 2016, included numerous improvements to the Zeus source code, many of which were intended to help the malicious code evade detection (see Zeus-Derived Malware Continues to Pwn POS Devices).

But the most infamous Zeus variant to date was arguably the Gameover Zeus malware, which reused Zeus components and targeted online bank account credentials. The malware was also used to distribute CryptoLocker ransomware. In May 2014, a law enforcement takedown disrupted the operation, which the FBI estimated infected up to 1 million PCs worldwide and had been used to steal more than $100 million.

FBI Blames Bogachev For Creating Zeus

The FBI has blamed Russian citizen Evgeniy Mikhailovich Bogachev for creating Zeus and Gameover Zeus, and it's offering a reward of up to $3 million for information that leads to his arrest. Bogachev, aka "lucky12345" and "slavik," was first indicted in U.S. federal court in 2012 on charges that include bank fraud, identity theft and hacking.

Bogachev's name resurfaced earlier this year in the wake of the U.S. intelligence establishment warning that Russia had meddled in the 2016 U.S. presidential election. Authorities said they suspected Russian intelligence agencies of using Bogachev's malware to help them infiltrate PCs (see Report: Russian Espionage Piggybacks on Cybercrime).

But Bogachev remains at large, apparently in Russia. Unfortunately for Western law enforcement agencies, Russia doesn't extradite its citizens based on foreign indictments. So long as Bogachev sticks to his native country - and continues his alleged cooperation with Russian agencies - he seems likely to remain free and potentially continuing his alleged malware-writing ways.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.